STYLE: Add SPDX license identifiers to all ITK source files

[hjmjohnson]

Prepends two machine-readable SPDX lines to each of 5,698 ITK-owned source files following VTK's convention, and updates the KWStyle header template so new files are enforced to carry SPDX going forward. Pairs with #5817 (SBOM infrastructure, targets this branch); the two PRs are bound and must merge together or in strict order (this PR first, then #5817 rebased onto main).

Single commit, mechanical diff — copy-paste review.

Note: this PR replaces the phantom-merged #6063, which was auto-closed by GitHub as "merged" when a force-push to its source branch made its head an ancestor of the (changed) base. No content landed in main from that closure; this PR carries the same content with correct base/head.

Format (matching VTK convention)

C/C++ files (.h, .hxx, .cxx, .txx):

// SPDX-FileCopyrightText: Copyright NumFOCUS
// SPDX-License-Identifier: Apache-2.0
/*=========================================================================
 *  Copyright NumFOCUS
 *  ...existing Apache-2.0 block, unchanged...
 *=========================================================================*/

Python / CMake / shell files use #-prefix equivalents. The existing 17-line Apache-2.0 notice block is unchanged.

The two SPDX lines are machine-readable equivalents of the existing Apache-2.0 notice and are parseable by REUSE, scancode-toolkit, fossology, Trivy, Grype, and OSV-Scanner.

Scope — what changes in this PR

• 5,698 ITK-owned files modified: .h, .hxx, .cxx, .txx, .py, .cmake, CMakeLists.txt
• 1 KWStyle template updated: Utilities/KWStyle/ITKHeader.h gains the two SPDX lines so new files going forward are enforced
• Only files containing Copyright NumFOCUS are touched (ITK-owned criterion)
• Modules/ThirdParty/ excluded — vendored projects keep upstream notices and are tracked per-module in the SBOM (#5817)
• Total: 5,699 files, +11,398 lines, -0 lines; no non-tagging changes

Not in this PR (in #5817 instead):

• The migration script (Utilities/Maintenance/AddSPDXHeaders.py) used to produce this diff
• The pre-commit hook (check-spdx-headers)
• The SBOM generator and four validation CTests
• REUSE.toml and LICENSES/

Why these two PRs are bound

Neither PR is functional without the other:

• This PR alone tags 5,698 files with SPDX headers but ships no tooling that consumes them. No SBOM generator reads the metadata. The tags are dead weight without the infrastructure.
• ENH: Generate SPDX 2.3 Software Bill of Materials at configure time #5817 alone ships the SBOM generator, validators, migration script, REUSE metadata, and pre-commit hook — but the 5,698 source files still carry the old header shape. reuse lint would flag thousands of files. CI breaks.

Merge order: this PR merges first (onto main), then #5817 rebases onto the new main and merges. Or both merge together via a merge queue.

Why — regulatory drivers (medical imaging + commercial use)

ITK's 2019 community survey documented 32% commercial users, 74% medical imaging focus. The combination makes SPDX-tagged source files and the companion SBOM a hard regulatory requirement for ITK's core audience:

• 21 USC 360n-2 / FD&C Act §524B(b)(3) (effective 2023-03-29) — federal statute requiring an SBOM for every "cyber device" premarket submission, listing commercial, open-source, and off-the-shelf software components. ITK is explicitly OTS per docs.itk.org.
• IEC 81001-5-1:2021 — EU-harmonized cybersecurity standard with explicit SBOM reference in Annex E.2.4; harmonized under MDR since May 2024.
• EU Cyber Resilience Act (Regulation 2024/2847) — machine-readable SBOM obligations from 2027-12-11.

Discourse evidence of real commercial-audit incidents:
#7452 (ACM-licensed rpoly.f discovery), #7632 (manual license audits), #7748 (active CVE tracking).

See #5817 for the full justification discussion.

Test plan — verified locally on the combined stack

• CMake configure: 49.2s, no errors
• Full build: 5,968/5,968 targets, 0 warnings, 0 errors
• Full CTest suite: 3,218/3,218 tests pass (1 unrelated NumericLocale skip)
• pre-commit run --all-files passes every hook
• reuse lint reports 0 non-ThirdParty compliance gaps
• Generated SBOM validates against spdx-tools
• cmake --install places SBOM at share/spdx/sbom.spdx.json
• Sample files across each extension spot-checked byte-perfect against the KWStyle template

[hjmjohnson]

/azp run

[greptile-apps]

Too many files changed for review. (3000 files found, 100 file limit)